Why are we still constantly surprised that Intelligence (espionage) Agencies do exactly what they’re supposed to do?

Intelligence agencies belonging to nation-states perform cyber-espionage. That’s a fact, and it’s been a fact for decades. No worth arguing otherwise or claiming that they are breaking the law – it’s their mandate and they don’t try to hide it.

I’m not surprised when Leo Messi scores a goal, when a fireman puts out a fire or when a politician lies, so why should I be surprised when intelligence agencies gather intelligence? It used to be all about HUMINT, VISINT, SIGINT, OSINT, and now it’s about CYBINT (which is actually just a natural part of SIGINT). And everybody’s in it.

Recently, it seems that every other day some cyber research company (or comrade Snowden) gets headlines after they publish a long and colorful report regarding “the latest, most advanced, longest-lasting, stealthiest, most widespread” cyber-espionage campaign performed by a “nation-state entity”. Wow! That’s terrible news! If that’s the case I should just open a bottle of scotch and sing “We’ll meet again” as I wait for the end of the world (I’ll probably do that anyway, without the “end of the world” part).

Or maybe…

I should (a) remember that those companies are trying to scare me into buying their products even if the threat is not directed at me, and (b) remember what those agencies’ objectives are, what their assets-of-interest are, and see if it actually affects me. If I’m a government agency or part of the military/defense sectors, well, I should probably consider myself a viable target for national level espionage (and especially cyber-espionage) and prepare accordingly. But if the assets I hold in my networks and databases are close to irrelevant for nation-states, why should I be so alarmed?

It’s easy to say: “well, if I’m going to be hacked anyhow, I should just give up”, but that’s not helpful, and moreover, you’d have to bear the severe consequences. It’s imperative for companies and organizations, no matter the size, sector or location, to take a deep breath, map and prioritize their assets in their different environments, and then make an informed, rational cyber-security decision, rather than react to fear and intimidation.

Now, that doesn’t come to say that all espionage campaigns are irrelevant for many organizations. On the contrary, rogue espionage-for-hire groups, competitors and organized-crime target many different types of organizations for their sensitive IP, client base and business plans and organizations should be aware of this peril and defend themselves in advance. But, still, the assets these attackers are after differ from the ones nation-states are after.